Personal tools
CPSRTCD44.htm
Privacy Issues Faced in Implementing a Paperless Data Collection System for Family Planning and Living Standards Data in the Republic of Indonesia
The purpose of this paper is to evaluate what moral and ethical decisions developers face when designing and creating computer systems/programs that incorporate sensitive data. I analyze the privacy issues I am facing while developing a system for computerizing the data collection process in the annual census of family planning and living standards data for the Ministry of People’s Welfare and Poverty Eradication in the Republic of Indonesia. In the process I have developed my own approach to analyzing privacy issues. I hope that this paper will help other people realize when they may face a similar dilemma and will provide an approach they can use to help them resolve it. I take a Socratic approach to privacy issues, posing and re-posing to myself a set questions as a project progresses. This process has helped me better analyze my moral and ethical responsibilities to protect personal data, and it has also helped me to see that this is an issue that I and others in information technology will face throughout our careers. These are questions I posed to myself on this project and their answers/conclusions:
1. What individualized and/or personal data is collected and why?
The Republic of Indonesia has the fourth largest population in the world. Establishing and maintaining sustainable population growth is a vital issue to this country. It is deeply intertwined with issues of quality of life, sustainable economic development and protection of the environment which in turn play a key role in the stability of the country.
The government agency charged with creating sustainable population growth and monitoring the well-being of each family is the Badan Koordinasi Keluarga Berencana Nasional, BKKBN, directed by First Secretary of the Ministry, Lalu Sudarmadi.
A nation-wide means of assessing each family’s progress toward prosperity has been established, volunteer field workers go door-to-door interviewing their neighbors about their use of family planning and their standard of living. Regional offices collect and condense (recapitulate) information and forward it through BKKBN levels and to the Ministry.
This information helps the Indonesian government plan and provide services to its citizens, providing a clearer picture of what areas are in need of particular services (e.g. elementary schools, health care, clean water, business development) or incentives to change behavior to help reduce future population-related problems. The data also helps organizations like the Red Cross and the United Nations to focus their efforts more effectively. The community uses personal data stored at the village level to help them obtain resources and funding for community improvement. An excellent example of how individuals benefit is that BKKBN and other government agencies provide training and assistance in starting their own home-based businesses to interested women who follow the BKKBN voluntary family planning program. The census is used to identify and qualify these women.
Very personal information is collected in the census, information that most people in the United States would not be comfortable discussing with friends and family, let alone with a neighbor collecting data for the government. Fieldworkers ask over eighty questions, i.e. what contraceptives the adults use, for how long they have been using contraceptives, how many children they have, how many they plan to have in the future, if the wife is currently trying to get pregnant, if they can afford to eat meat, fish or eggs at least once a week, if they have different clothes for at work and at home, if they eat together as a family at least once a day, if they have a dirt or tiled floor, if they can afford to go to a traditional or modern doctor when they or their children are sick, if they actively practice a religion, and record each answer together with the name and address of each responding family.
2. What privacy risks are involved with any of this personal identification or information?
The biggest risks involved are at the individual and family level. Individuals are concerned that information about them and their families could be misused, sold or recombined with other information to cause problems ranging from difficulty securing a loan and good health insurance, to job security and personal safety from those who might want to use their information against them or assume their identity. Other major risks involve communities and the country itself. They could be blamed as being "the cause" of problems resulting in being ostracized; resources and funding could be withdrawn or targeting of one of Indonesia’s many ethnic or cultural groups could occur.
3. Do affected individuals and groups feel the risks are worth taking?
According to Bapak Lalu, when data collection began about 8 years ago, it was met with some resistance from Indonesian citizens and officials, especially because BKKBN places a sticker on the outside of each home, coded by color and shape to indicate the living standard level (one of four) of each family living there and what type of contraceptives they use. Now it is hard to find an Indonesian citizen who does not feel that it is important to give this personal information to the government, partially because identification of the individual family occurs only at the local level, reducing the chance that their data will be stolen or manipulated, but mostly because they can see how the information has been used to help their family and community. Many also recognize it is helpful to have their personal information posted on their homes because others strive for a better life by trying to "keep up" with their neighbors in a positive sense since living standards levels are focused more on participation in the community, with a religion and with your family, than on material well-being. Only the lower two levels of living standards relate to economics achievement and the two higher levels are dependent on improving quality of life for others. A poorer family could reach the top level of living standards, while a rich family might not. This encourages improved quality of life for everyone.
A controlled study would be needed to determine how big a risk individuals actually feel they are taking. However, during the summer of 2000, while field testing the paperless data collection system I’m developing, I informally assessed opinion in both a city and in a rural peasant village. I was amazed at how seriously both the field workers and the families they interviewed take the importance of participation. No one seemed embarrassed or hesitant to share their answers to even the most personal of questions in front of a crowd of onlookers or on videotape.
4. How does individualized information flow through the current system?
BKKBN’s organizational hierarchy consists of offices and/or officials at every level from the central office in Jakarta down to the neighborhood block. The following are the levels of BKKBN that deal with data collected in the annual census:
Indonesian |
US equivalent |
Pusat |
National Central Office |
Propinsi |
State |
Kabupaten/Kodya |
County/Large City |
Pengawas PLKB (kecamatan) |
Township/City |
PLKB/PKB |
BKKBN-created level to represent groups of towns or villages |
PPKBD (desa) |
Town/Village/Ward |
Sub PPKBD (Dusun/RW) |
Precinct |
Rukung Tangga |
Block |
Kader |
Volunteer Fieldworker |
Keluarga |
Family |
All data are collected on large and complicated paper forms during an interview with a family by a fieldworker. After completing interviews with their assigned families, the field workers send their forms to the precinct where BKKBN employees summarize data for each block in the precinct. This first recapitulation removes all personal identification and individualized information from the process. The information is then condensed again and again as it moves up through each level until it is entered into the computer at the county or city level. The following illustrates the flow of data through the hierarchy:
5. How will individualized information flow through the paperless system?
The current data flow structure cannot be replicated because, at present and for the foreseeable future, the County/Large City level is the lowest level to have desk top computers necessary for downloading data from handheld computers. The same data will be collected by the same field workers using handheld computers instead of paper forms. These computers will be collected at the village/precinct level on a monthly basis during the data collection period and then transferred to the township office. Township personnel will bring them to their monthly meeting with their County or City BKKBN office for downloading to the database. The data can then be formatted into reports for each of the lower and upper levels of BKKBN. The lower levels can receive printouts and the upper levels electronic versions. The diagram below illustrates the plan for data flow throughout the BKKBN hierarchy if/when the paperless system is fully implemented:
6. Will the planned system create differences in accessibility to personal and/or individualized information?
Paper-Based System |
Paperless System |
Personal identification and information is stored at village/precinct level by one BKKBN official; individualized data never goes beyond this point |
Data downloaded from handheld computer and stored at a City/County level, with individualized data copied and distributed back to the village and precinct levels where it’s needed and used regularly |
If someone at a higher level of BKKBN wants individualized data, someone must travel to that village to obtain the data |
Anyone who has access to the database can get individualized data
|
Paper-Based System |
Paperless System |
Anyone who obtains the forms can get individualized data |
Anyone who obtains the handheld computer before the data is downloaded can access individualized data |
Data would have to be taken from or given away by the BKKBN official and would only be available for that particular village |
The database could be hacked or access could be given to someone unauthorized |
Finding data on a particular individual would be a long laborious process, hand-sorting through hundreds of hand-written forms, because data is not collected or stored in any particular order |
Queries of the database would allow almost instant access to data on a particular individual in anywhere in the County |
Must mail/transport individualized information on both the handheld computer and paper printouts from the County/City level with a risk of its being read/taken in transit |
7. What steps can be taken to protect the data in the paperless system?
- password protection on palm computer
(problem: this makes the job of the field worker more difficult since many of the field workers have never seen much less used a computer)
- password protection on database
- make sure security on database is strong
- after distribution of data from city/county down to village level, destroy all personal data in the database
- eliminate all identifying information not needed
- put computers at the town level to eliminate sending printouts and handheld computers. (problem: This is a doubtful solution because it decreases paper copies and transport risks but increases locations with database access)
In the process of analyzing these privacy issues, I discovered that using this Socratic method of posing and re-posing the same set of questions as the project progresses is very effective in helping me define what I needed to think about. It also made me realize what a personal, moral and ethical issue this is for everyone working in the information technology field. Theoretically, protecting the right to privacy is paramount and the need to safeguard it is obvious. In actual practice, as I am discovering as I work on this project, it is an extremely difficult and nuanced problem to address. At what level is it necessary to eliminate individualized information? Does anyone other than the individual deserve access to the information? If so, at what point should the line be drawn? Is that a decision for the individual, the information technologist or the customer? What if the customer's decision is that privacy is not an issue? Does one refuse to do what the customer stipulates? Does one insert unrequested safeguards that complicate usability or deny access to what the customer considers vital information? Does one quit a project in mid-stream or resign one's job over a privacy disagreement with a customer or boss? If so, will it make a difference or will the project be taken over by someone with no privacy concerns at all?
The project I am working on with BKKBN is a perfect test case for these questions. While I was immediately stuck by the intimate nature of some of the questions asked of individuals in the census before I began the project, the issue of safeguarding people's privacy didn't occur to me until I was well into it. When I began to analyze the issue, I realized how many questions need to be asked and decisions made in order even to ascertain to what degree people's privacy was at risk, much less to be able to propose a solution. At present, privacy is quite well protected by the cumbersome nature of the paper system. Therefore it is the very system I am creating that puts privacy at risk. I personally know that First Secretary Lalu Sudarmadi is a moral and ethical person who would never misuse data. But I also know that his plans for the future involve creating electronic Family Folders containing even more personal data on individuals, and, unlike the current system or even the current planned system, all of this individualized data would be reported to the top level of the government. And in contrast to Bapak Lalu, there is ample evidence that the Indonesian government as a whole is not always moral and ethical. Hundreds of readily available examples exist of the government using personal information to curtail human rights. My dilemma is whether or not I feel it is ethical to participate in creating a system that might be used at some point in time to deny people their rights. As I continue to work on this project pro bono (in both senses of the word: unpaid, and because I want to make the world a better place), I will continue to discuss these issues with Bapak Lalu and BKKBN officials and evaluate how or whether I am willing to proceed. And I will continue to ask myself whether I am helping provide a tool to systematically and efficiently abuse fundamental rights and I hope everyone will take the same precautions.
Created before October 2004